this post was submitted on 30 Aug 2024
236 points (97.6% liked)

Ask Lemmy

27001 readers
1384 users here now

A Fediverse community for open-ended, thought provoking questions

Please don't post about US Politics. If you need to do this, try [email protected]


Rules: (interactive)


1) Be nice and; have funDoxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them


2) All posts must end with a '?'This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?


3) No spamPlease do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.


4) NSFW is okay, within reasonJust remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either [email protected] or [email protected]. NSFW comments should be restricted to posts tagged [NSFW].


5) This is not a support community.
It is not a place for 'how do I?', type questions. If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email [email protected]. For other questions check our partnered communities list, or use the search function.


Reminder: The terms of service apply here too.

Partnered Communities:

Tech Support

No Stupid Questions

You Should Know

Reddit

Jokes

Ask Ouija


Logo design credit goes to: tubbadu


founded 1 year ago
MODERATORS
 

"The SCOPE Act takes effect this Sunday, Sept. 1, and will require everyone to verify their age for social media."

So how does this work with Lemmy? Is anyone in Texas just banned, is there some sort of third party ID service lined up...for every instance, lol.

But seriously, how does Lemmy (or the fediverse as a whole) comply? Is there some way it just doesn't need to?

you are viewing a single comment's thread
view the rest of the comments
[–] General_Effort 2 points 2 months ago (1 children)

That is entirely incorrect. It is general data protection regulation, not privacy regulation.

You are given certain rights over data relating to you. For example: you may have it deleted. Have you googled the name of a person? At the bottom, you will find a notice that "some results may have been removed". Under the GDPR, you can make search engines delete links relating to you; for example, links to unflattering news stories (once you are out of the public eye).

[–] Nibodhika 1 points 2 months ago (1 children)

Sorry, forgot about answering here. Although the name is General data it is about personal data. I was going to reply with point by point why it either doesn't apply to Lemmy or it follows GDPR, but I think it might be easier to answer directly your point about right to be forgotten.

First of all Lemmy allows you to delete your posts and user so it complies with it, but even if it didn't GEPR has this to say:

Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

Paragraphs 1 and 2 are the right to be forgotten

for exercising the right of freedom of expression and information;

Which one could argue is public forum primary use

for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing;

Which again one could argue is part of the purpose of Lemmy as well.

[–] General_Effort 1 points 2 months ago (1 children)

I was going to reply with point by point why it either doesn’t apply to Lemmy or it follows GDPR

It does apply to lemmy and lemmy is not compliant. That is simply a fact as far as the courts have ruled so far.

Which one could argue is public forum primary use

One can argue a lot. But if such hand-wavy arguments work, then why do you think anyone ever has to pay fines or damages?

For this argument to work, you have to argue that erasing the precise personal data in question would infringe on someone else's right to freedom of expression and information.

The original "right to be forgotten" was about links to media reports. The media reports themselves did not have to be deleted because of freedom of information, but google had to delete the links to them to make them harder to find. This is a narrow exception. Under EU law, data protection and these freedoms are both fundamental rights. They must be balanced. The GDPR dictates how. These exceptions will only apply where these freedoms are infringed in a big way.

At least, you have to do like reddit and anonymize the comments and posts. It could be argued that you actually may not even do more. Removing comments that someone else has replied to arguably makes their personal data incomplete. Reddit's approach meets a lot of outspoken criticism on lemmy.

The problem is that the data is duplicated all over the federated instances. So, someone on your instance deletes their data, Other instances also delete their copies. What do you do if someone in the US refuses to delete and maybe gives you that argument about freedom of expression? That's right. You pay damages to your user because you screwed it up.

[–] Nibodhika 1 points 2 months ago (1 children)

Still, the archival nature of decentralized communities is one of the primary objectives of the technology. It's arguably the defining feature of any decentralized thing that no one controls everything so things are meant to stay "forever". Otherwise Bitcoin would be completely ilegal since there's no way to delete information there.

What do you do if someone in the US refuses to delete and maybe gives you that argument about freedom of expression? That's right. You pay damages to your user because you screwed it up.

Not really, again, the text of the law states that if the information has been made public the company must inform whoever they made the data public to:

Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

AFAIK Lemmy federated deletions, whether an instance acts on it or not is another matter.

But GDPR doesn't work like you think, let me give you an example, say you sent an email from provider A to someone on provider B, then you decide to delete that email account, the email you sent will still be in provider B, even if company A deletes all of your information that email is still there and won't get deleted. This is fine with GDPR, otherwise no email provider could operate here. Same goes for other federated or decentralized technologies.

[–] General_Effort 1 points 2 months ago (1 children)

Still, the archival nature of decentralized communities is one of the primary objectives of the technology. It’s arguably the defining feature of any decentralized thing that no one controls everything so things are meant to stay “forever”. Otherwise Bitcoin would be completely ilegal since there’s no way to delete information there.

Any number of people here will happily tell you where to shove your illegal technology. In truth, the GDPR is explicitly meant to limit what may be done with existing technology.

With crypto, one can make use of some existing exceptions and perhaps create compliant apps. I'm not familiar with those. Much that stuff is not compliant. There isn't a lot of enforcement.


So that's my bad. I pointed out the issue with the right to erasure to highlight the problem, In truth, the probable violation happens when the data is shared. With e-mail, the user sends their own data, just like while clicking links. The transfer of data for lemmy federation is under the control of the instances involved. It might still be okay, like serving the data over the web. But that requires the user to know what's going on.

If you could hand-wave these problems away so easily, Meta would not be paying those huge fines. What do you actually think that's about?

[–] Nibodhika 1 points 2 months ago (1 children)

Data in Bitcoin is undeletable, it's impossible for any law to force anything from being deleted on Bitcoin. Then the same exceptions that apply there would apply to Lemmy since the technology is similar in the relevant aspects (besides deletion being theoretically possible on Lemmy).

As for Meta, the problem is that the data they're sharing is not public. Meta is not getting fined for sharing things you posted on your publicly, since they share those regardless by virtue of them existing and being publicly available, they're fined for sharing things you put privately or data derived from non publicly available sources such as how you interact with Meta.

Any information that a user willingly makes public can be processed in any way, even if it includes identifiable medical information (which is the biggest no-no of GDPR). It even has a specific point about it in 9.2.e

processing relates to personal data which are manifestly made public by the data subject;

Essentially saying you can process anything that was made public by the person. GDPR is to protect people from companies doing shady things, not to prevent people from themselves. Because EVERYTHING is public in Lemmy, all data in it has been manifestly made public by the person who created it.

[–] General_Effort 1 points 2 months ago

Bitcoin.

It may be illegal to operate a bitcoin miner in Europe. That's entirely possible. I don't think the courts would go so far as to outlaw crypto in Europe via that route. But who knows.

the technology is similar in the relevant aspects

No. You can just turn off federation. You can make contracts with the instances you federate with. With crypto, you have to send the whole blockchain around, or else you don't have crypto.

As for Meta, the problem is that the data they’re sharing is not public.

No. Look up what companies and people are fined for.

Any information that a user willingly makes public can be processed in any way

No! NO!!!

You may not process any personal data without a legal basis. It does not matter if public or not.

Certain sensitive personal data may not be processed at all, even with a legal basis. Except in certain circumstances listed in Article 9.